A layered approach, including safeguards against your own privileged users, may be your best bet for data security.

By Phil Neray H

ealthcare industry IT has traditionally focused on improving patient care. When it comes to protecting sensitive information, the atten- tion has been around securing physical docu- ments and facilities. While this has helped with privacy from the physical loss of data, in a growing number of cases cyber assets have been left at risk.

Healthcare data: Low-hanging fruit for hackers Since many fi nancial and retail organizations have stepped up security following high-profi le data breaches in recent years, healthcare organizations became a top target in 2010. According to the Identity Theft Resource Center (ITRC), 113 healthcare institutions were hit by data breaches between January and July 2010, nearly three times what the fi nancial sector experienced in the same timeframe. According to the HHS, 214 healthcare orga- nizations were breached in 2010 (as of December 27), with 6.3 million patients affected.

While medical data may not be as attractive as credit card numbers, medical records are incredibly valuable to those interested in committing insurance fraud or stealing identities.

So it’s easy to see why database servers – in any industry – have become hot targets for cyber criminals and rogue insiders.

Don’t hang your hat on HIPAA or perimeter security Simply passing IT compliance and HIPAA audits with “checks in the boxes” doesn’t make an organiza- tion secure. Perimeter security and trusted insiders can often be threats, whether intentional or not.

Of course, healthcare isn’t the only industry where insiders can be threats. Verizon’s 2010 Data Breach In- vestigations Report showed that nearly half of the data breaches across all industries were caused by trusted insiders.

When it comes to information security, there are two major considerations for the healthcare industry:

18 March 2011

1. Many hospitals are focused on preventing unau- thorized access by outsiders, using fi rewalls, rather than preventing intrusion by insiders. Firewalls as a standalone are insuffi cient. They must be part of a larger solution that layers approaches to include the monitoring and auditing of sensitive data.

2. Healthcare organizations are more focused on pre- venting accidental or physical data leakage via e-mail or lost laptops, while the risks and costs associated with incidents caused by rogue administrators, such as database administrators (DBAs), developers and outsourced personnel who have virtually unlimited access to critical data, are signifi cantly higher. Many organizations are not monitoring activities by these privileged users, and as a result are not even aware of data breaches until it is too late. Data breaches have declined in the fi nancial sector be-

cause fi nancial companies have moved beyond perimeter security. All of the major banks have implemented technology to monitor and protect sensitive informa- tion stored in databases – preventing unauthorized

Phil Neray is VP of security strategy, IBM/Guardium. For more information on IBM/Guardium solutions:

access by insiders and outsiders. Healthcare organizations are falling behind, and the health information exchanges outlined under federal meaningful-use guidelines of electronic medical records will centralize data in big data warehouses, making data breaches an even bigger risk. It would be good for healthcare organizations to take a page from the healthcare insurance providers and pharmacy benefi t providers. Many of those companies have already followed the fi nancial industry’s suit and deployed database security and activity monitoring tech- nologies to protect their fi nancial/ERP data and comply with regulations such as SOX. With more than 214 healthcare organizations breached in 2010, and more than 6.3 million patients now at risk (according to the U.S. government), we need to advance beyond the perimeter approach and physical focus and concern ourselves with insiders to help protect patient data in 2011.